Questions/comments about better settings for aws deploys

Michael Nelson michael.nelson at canonical.com
Thu Jan 22 05:41:01 UTC 2015 

Hi people,

I'm just testing an ec2 juju deployment, and had a few questions about
setup and default secgroups, which aren't addressed on the docs afaics
[1]

First, the docs assume that you'll put your primary (administrator)
creds in your environment, which is easiest and works, but it would be
safer to create a separate identity within your account which you can
manage in isolation [2]. So I'm doing that, creating a separate user
for the environment, assigning it as a power user [3], but wanted to
check whether there is a better setting (or specific policy) to use
that will allow juju to do everything it needs and no more?

Second, the default secgroup for an aws account allows (by default)
all tcp/udp between all instances using that same default secgroup.
This secgroup is *not* associated with the juju units of the
environment (afaict, which is great, because it would mean that other
instances in other envs but the same account could, as aws-classic
only has one default per account, afaics).

Juju seems to create it's own "default-for-environment" secgroup which
is applied to all the units within the environment (in addition to one
per unit), which has similar rules to the above (ie. all instances can
talk to each other over all ports). It also allows inbound access to
ssh, 17070 and 37017 for 0.0.0.0/0, which may be a sane default given
that you might be deploying from your laptop on different networks,
but if you're deploying from a specific machine, it makes sense to
restrict those three (no question, just comment)

Finally, unlike openstack secgroups, aws (classic) doesn't allow any
outbound filtering rules on the secgroup (?!). Is anyone working
around this, or does it require touching iptables on each of the
units?

Thanks for any info,
Michael

[1] https://jujucharms.com/docs/config-aws
[2] https://aws.amazon.com/iam/
[3] "Provides full access to AWS services and resources, but does not
allow management of Users and groups." I'll create a group and use
that instead once I'm sure of the best permissions.

More information about the Juju mailing list